In this final assessment I looked the current and emerging cyber security vulnerabilities of financial inclusion. In answering this question I looked at what financial inclusion and digital identity are, and how are they correlated. I then described three significant cyber threats posed by financial inclusion projects and how they can be controlled by applying the ACSC Essential 8. I then describe a hypothetical scenario in which financial inclusion projects and digital identity practices could introduce a new cyber threat to Australia, and present a possible solution to the threat/crime.
Abstract
Access to financial services is recognised as a way of lifting people out of poverty and giving them the means to improve their lives. It starts with access to a bank account, which can then grow into accessing credit, insurance and other financial services. These facilitate the ability to manage inconsistent cashflow, start businesses and grow wealth. Financial inclusion is a term that covers initiatives that aim to increase access to the aforementioned services, as well as government to persons (G2P) payments, typically amongst the unbanked and less affluent.
Financial inclusion initiatives typically leverage digital solutions, in order to access these an identity is required. This report will demonstrate the importance of digital identity in financial inclusion by introducing the “digital stacks” which financial inclusion is built on. It will continue by examining potential vulnerabilities in financial inclusion and digital identity solutions before considering a scenario in which a hostile state actor could exploit these vulnerabilities in an act of cyber war.
Report
Financial inclusion is a term indicating that individuals and businesses have access to useful and affordable financial products and services that meet their needs. These can include bank accounts, credit, insurance and government to person (G2P) payments. It has the potential to help the previously ‘unbanked’, people who do not have access to financial services, manage an irregular income and plan for the future (Kodjo, 2018). Financial inclusion plays a key role in reducing extreme poverty and is an enabler of several of the United Nations’ Sustainable Development Goals (World Bank Group, 2022), with an inclusive financial system enhancing efficiency and the welfare of the population at large (Nanda & Kaur, 2016, p.128). Increases in per capita income, rule of law, education and literacy as well as reduced poverty are correlated with financial inclusion (Park & Mercado, 2016, p. 63).
The level of financial inclusion of an economy can be assessed using the Index of Financial Inclusion (IFI), which is calculated using: Banking Penetration; Availability of Banking Services; Usage of Banking Services (Nanda & Kaur, 2016, p.135). According to Nanda & Kaur the Index of Financial Inclusion has a strong and positive correlation with the Human Development Index (2016, p.141), which measures key dimensions of human development, being: life expectancy, education and Gross National Income per capita. (United Nations Development Programme, 2022).
Deploying financial inclusion initiative is a challenge and digital solutions play a key role in overcoming challenges of cost and distance(Arner et al., 2019, pp. 57-58), this is recognised in both the World Bank’s five pillars to achieve “financial access and responsible financial inclusion” (World Bank Group, 2022, Strategy tab) and the G20’s Global Partnership for Financial Inclusion’s (GPFI) eight high level principles for digital financial inclusion (GPFI, 2016). This reliance on digital solutions requires a reliable means of identification for participants (Kodjo, 2018).
Digital identity has a number of interpretations, commonly split into ‘digital identity’ (how one authenticates one as oneself) and the ‘online self’ (social-cultural constructions of representations) (Feher, 2019, p. 194). This report will focus on digital identification as a means of authenticating oneself, as per Australia’s Digital Transformation Agency definition “A distinct electronic representation of an individual which enables that individual to be sufficiently distinguished when interacting online, including when accessing online services.” (2021).
Identity is fundamental to finance. It is required for know-your-customer (KYC) requirements, to mitigate fraud and crime, and to ensure market integrity. However, identification can be a major barrier to accessing financial services. (Arner et al., 2019, p. 54). Digital identity is widely used for accessing digital services (Laurent & Bouzefrane, 2015) and is critical for successful digital economies (ID4D, 2019). Digital identification can foster: access to services and economic opportunities, promotion of human rights, and also empower people with more control over their personal data (World Bank Group, 2021, p. 10).
Having established that identity is fundamental to finance and accessing digital solutions, and that financial inclusion is reliant upon digital solutions, it follows that identity is also critical for financial inclusion projects. Knowing that a “major barrier” (Arner et al., 2019, p. 54) to access financial services is identification and that digital identity is core to overcoming this, we can conclude that digital identity is a key requirement of financial inclusion projects. Digital identity is the first step towards financial inclusion (Kraus et al., 2022, p. 25) which facilitates simplified creation of accounts, delivery of financial services (Bandura & Ramanujam, 2021, p. 8) and is necessary for a solid financial system (Arner et al., 2019, p. 68).
We can see this reflected in the World Bank’s “Digital Stack” (figure 1) and the Alliance for Financial Inclusion’s digital payments and financial services model (figure 2), which both include digital identity as a critical element.
Figure 1: World Bank Digital Stack (World Bank Group, 2021, p. 5) |
Figure 2: AFI’s digital payments and financial services model (Alliance for Financial Inclusion, 2019, p. 5) |
Financial services is the industry most targeted by cyber attacks, which can impact financial stability and the benefits of financial inclusion (Georgieva, 2020). Due to the popularity of digital solutions, financial inclusion projects and digital identity are vulnerable to any type of cyber attack, but I will focus on: Authoritarian regimes/state surveillance; phishing/social engineering; and data breaches.
State surveillance is a significant threat. Of course, we have seen authoritarian regimes throughout history and before the rise of digital technology (i.e. Stalin, Hilter), but digital technology makes state surveillance easier, cheaper and more pervasive. A government can introduce legislation to allow surveillance, as seen in Australia, to little resistance or even public knowledge (Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021, 2021; Identity-Matching Services Bill 2019, 2019; Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, 2018) and proceed to surveil. Once introduced, surveillance can impinge on privacy which can have a chilling effect on a populace and makes dissent unlikely (The Transnational Institute, 2017), this can enable government overreach and empower authoritarian regimes. While decentralised approaches to the aforementioned digital stacks are emerging (World Bank Group, 2021, p. 11), there are also numerous examples of centralised digital identity systems. These include: Belgium’s eCard, Netherlands’ DigiD, India’s Aadhaar (World Bank Group, 2020), Hong Kong (Dobberstein, 2021), Australia’s Digital Identity (Digital Transformation Agency, 2022) and plans in China (Zheng, 2022).
Taking Australia as an example, combining a centralised digital identity with the previously mentioned surveillance legislation, we are given the impression of a government that has the appetite and seeks the means to surveil its populace. Overseas, China’s increasing influence has raised concerns about digital identity being used to authoritarian means (Bandura & Ramanujam, 2021, p. 1). This is reinforced with recent news that China is seeking agreement from the Solomon Islands “to strengthen cooperation on ‘cybersecurity’ and promoting ‘formulating rules for global data governance’” (Lyons, 2022). These centralised digital identity systems present a threat if used with state surveillance systems, such as those introduced in Australia.
Phishing and social engineering are well established methods for defrauding people and financial inclusion initiatives are seen as softer targets (Maurer & Nelson, 2021) with the newly banked are more likely to be victims of phishing attacks (Baur-Yazbeck, 2018). A lack of cyber awareness and training of staff is a contributor (Kraus et al., 2022, p. 27) with examples of staff who have been deceived into sharing their login credentials with attackers spanning Ghana, Kenya, Tanzania, Uganda and Zambia (Baur-Yazbeck, 2018).
Finally, as financial services become increasingly digitised and the volume of sensitive data grows, so too does the potential for data breaches to impact systems and individuals (Alliance for Financial Inclusion, 2019, p. 3). Providers of financial inclusion initiatives are susceptible to hacking and data breaches due to poor system patch management, poor logging practices and legacy systems. Examples of data breaches in financial inclusion and digital identity are numerous, including: customer identity theft in Kenya (Baur-Yazbeck, 2018); In Pakistan, when the National biometric system (NADRA) was breached in November 2021 (Tribune, 2021); and India’s Aadhaar system has been breached on numerous occasions including in 2018 (Roy, 2018) and in 2019 and June this year (Singh, 2022).
The ACSC Essential Eight could help control the threats of phishing/social engineering and data breaches. As outlined in table 1, each strategy of the Essential Eight plays a role in mitigating these threats. Unfortunately they cannot do much to protect against an authoritarian regime which has legislated backdoors to systems, to offer some protection against state surveillance, encryption can be used in communications as this has proven effective previously (Cook, 2016)
Table 1
| Essential Eight Mitigation Strategy | How it can control the threats |
| Application control | This will help prevent the execution of malware. In the event that malware is executed it will be logged. |
| Patch applications | This will ensure patches are installed and the vulnerability scans will prevent poor patch management. |
| Configure Microsoft Office macro settings | This strategy will help prevent accidentally installed malicious microsoft scripts from executing. |
| User application hardening | This strategy will prevent them from inadvertently creating vulnerabilities in user applications. |
| Restrict administrative privileges | This strategy will limit damage in the event that a staff member falls victim to a phishing attack |
| Patch operating systems | This will ensure patches are installed and the vulnerability scans will prevent poor patch management. |
| Multi-factor authentication | This strategy will limit attacker access in the event of compromised credentials. |
| Regular backups | In the event of data loss or a ransomware attack, this strategy will allow tested backups to quickly restore data and systems to maintain operability. |
As demonstrated, financial inclusion and digital identity are inextricably linked and give us the opportunity to explore some interesting cybersecurity scenarios. We are going to explore a scenario combining the above mentioned threats of state surveillance, phishing and data breaches. But in the role of state surveillance it will be a hostile state, China, surveilling the citizens of a target state, Australia. This has basis in recent events where it was revealed that China has been accused of “malicious cyber activities” (Hurst, 2021) and more recently the Chinese APT group, Red Ladon spent several months mining data from various levels of Australian government and news organisations with a sophisticated phishing campaign (Venkat, 2022).
Australia has a digital identity system, which can be used to access various government services, including those aligned with financial inclusion goals such as receiving G2P payments (Services Australia, 2022) and with the second layer of the World Bank’s digital stack “Digital ID, authentication and e-Signatures”.
In our scenario, China wants to cause widespread concern and mistrust in the government. This attack will involve gaining access to Australia’s digital identity platform via MyGovID, then using this to disrupt government payments. They will do this through an attack lifecycle as outlined in figure 3.
Figure 3: Mandiant Attack Lifecycle (Mandiant, 2021) |
The initial reconnaissance will take place in an area that China understands and is known to target, the Chinese Australian diaspora (HRW, 2021). Targeting them with propaganda on social media and building a database of like first targets. This campaign will aim to promote pro-China and anti-Australian sentiment.
The initial compromise will involve gaining access to their social media accounts via a combination of phishing and social engineering, targeting participants from the recon stage. Protection: increased cyber awareness and civilianisation to protect the population against phishing.
Once social media accounts are compromised, internal reconnaissance and lateral movement stages will take place, where connections of compromised will be targeted and compromised. The disinformation campaign will continue on all compromised accounts to continue to sway opinion. Protection: increased cyber awareness and civilianisation to protect and educate the public on secure social media settings and password management.
Once a sufficient number of accounts are compromised, privileges will be further escalated. Note: this should include a significant number of Australian citizens who harbour anti-western sentiment. The disinformation campaign will change gears to a spear phishing campaign posing as Human Rights Watch, informing recipients that the Australian government has potentially identified them as Chinese sympathisers and will use their digital identity to track them. The email will go on to give measures that can be taken to prevent this by changing default settings in MyGovID. This campaign will leverage a fake MyGovID website and act as a monkey-in-the-middle (MitM) to bypass MFA security measures and gain access to MyGovID (see figure 3). Protection: increased cyber awareness and civilianisation to protect the population against phishing; Geolocation of login and MFA action to identify and prevent remote attempts at MitM attacks; Login attempts from an new device triggers a verification code to be sent (with a warning not to share and never to give over the phone) and entered manually, making it difficult for a MitM.
Mission completion is where the Chinese government will access individuals’ MyGovID, turn off notifications, change login credentials and disconnect government services (figure 4). This will impact the most needy, with government payments being cancelled and an inability to login to MyGovID will make engaging with government services difficult and time consuming, potentially causing a DDoS on government service phone lines, email and physical offices. The aim is that this final stage will catalyse mistrust built during the initial stages into open civil unrest, distrust of all government agencies and reduce resistance in a kinetic (physical warfare) situation. Protection: suspicious access of MyGovID (e.g. overseas access, dislocation of login/mfa location) triggers a call to the account owner to verify before processing the login.
Figure 4: Australia’s Digital Identity Ecosystem (Digital Transformation Agency, 2021) |
Conclusion
Financial inclusion aims to help lift people out of poverty and increase their participation both socially and economically, it is being driven primarily by digital solutions to overcome the challenges of cost and distance. A critical requirement for inclusion, and often a barrier to entry is identity, however digital identity is a promising solution to this challenge. Digital identity is vital to the success of financial inclusion initiatives and it forms a critical part of the World Bank’s “Digital Stack” and the Alliance for Financial Inclusion’s digital payments and financial services model. However, with digital solutions and digital identity being key for financial inclusion initiatives, three vulnerabilities were investigated: state surveillance, phishing, and data breaches. We discovered that each mitigation strategy of the ACSC Essential Eight can be used to to control phishing and data breaches, but are not much help against legislated back doors, however encryption could help preserve privacy even with backdoors in use.
Exploring these vulnerabilities through a scenario which tied together the vulnerabilities in the context of a hostile state following a Mandiant attack lifecycle to use digital identity as a vector to launch an attack against financial inclusion measures in Australia and sow distrust in the government. While exploring each stage of the attack lifecycle, protections were suggested to break the attack lifecycle.
An area of directly related further research is into how a digital identity system can be set up that preserves privacy and security but has transparent governance to prevent its use by an authoritarian state (internal or external). Biometrics are featured in some of the systems as credentials, research is active in the field of cancelable biometrics (Q. N. Tran et al., 2021), an interesting area of further investigation would be in the role the government plays mandating use of cancelable biometrics in digital identity systems and more broadly.
References
ADB Institute, Financial Services Agency, Japan, & International Monetary Fund Regiona. (2015). Financial system stability, regulation, and financial inclusion. Springer.
Alliance for Financial Inclusion. (2019). Cybersecurity for financial inclusion: Framework & risk guide. https://www.afi-global.org/sites/default/files/publications/2019-11/AFI_GN37_DFS_AW_digital_0.pdf
Arner, D. W., Zetzsche, D. A., Buckley, R. P., & Barberis, J. N. (2019). The identity challenge in finance: From analogue identity to digitized identification to digital KYC utilities. European Business Organization Law Review, 20(1), 55–80. https://doi.org/10.1007/s40804-019-00135-1
Bandura, R., & Ramanujam, S. (2021). Enhancing Financial Inclusion through Digital ID. Center for Strategic & International Studies. https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/210708_Bandura_Digital_ID.pdf?V3X_5jS0vr_2_1cvZy.d4DMh6UQsnxEE
Baur-Yazbeck, S. (2018, September 18). 4 Cyber Attacks that Threaten Financial Inclusion. CGAP. https://www.cgap.org/blog/4-cyber-attacks-threaten-financial-inclusion
Cook, T. (2016, February 16). Customer letter. Apple. https://www.apple.com/customer-letter/
Digital Transformation Agency. (2020, November 16). Digital identity Australian government. Digital Identity. https://www.digitalidentity.gov.au/privacy-and-security/security
Digital Transformation Agency. (2021, June 14). Digital identity Australian government. Digital Identity. https://www.digitalidentity.gov.au/about/the-system
Digital Transformation Agency. (2022, July 22). Digital identity Australian government. Digital Identity. https://www.digitalidentity.gov.au/create-or-manage-your-digital-identity
Dobberstein, L. (2021, July 14). Hong Kong working to share its digital IDs with mainland China. The Register. https://www.theregister.com/2021/07/14/hong_kong_sharing_digital_id_with_china/
FAIP. (2020, April 20). Home. FIAP. https://www.fiap.org.au
Feher, K. (2019). Digital identity and the online self: Footprint strategies – An exploratory and comparative research study. Journal of Information Science, 47(2), 192–205. https://doi.org/10.1177/0165551519879702
Georgieva, K. (2020, December 10). Financial inclusion and cybersecurity in the digital age. IMF. https://www.imf.org/en/News/Articles/2020/12/10/sp121020-financial-inclusion-and-cybersecurity-in-the-digital-age
Good Shepherd. (2018, March 15). Why FIAP? FIAP. https://www.fiap.org.au/whyfiap
GPFI. (2016, July). G20 High-Level Principles for Digital Financial Inclusion. GPFI Global Partnership for Financial Inclusion. https://www.gpfi.org/sites/gpfi/files/G20%20High%20Level%20Principles%20for%20Digital%20Financial%20Inclusion.pdf
Hally, L. (2021a). Can I reset my fingerprint? UNSW.
Hally, L. (2021b, December 2). The war on encryption. A Cyber Security Blog by Luke Hally. https://www.lukehally.au/government/the-war-on-encryption/
HRW. (2021, June 30). “They don’t understand the fear we have.” Human Rights Watch. https://www.hrw.org/report/2021/06/30/they-dont-understand-fear-we-have/how-chinas-long-reach-repression-undermines
Hurst, D. (2021, July 20). Australia joins allies in accusing China of ‘malicious cyber activities.’ The Guardian. https://www.theguardian.com/world/2021/jul/19/australia-joins-allies-in-accusing-china-of-malicious-cyber-activities
ID4D. (2019, September 8). About Us: Identification for Development. Identification for Development. https://id4d.worldbank.org/about-us
ID4D. (2020, September 14). Good ID supports multiple development goals. Identification for Development. https://id4d.worldbank.org/guide/good-id-supports-multiple-development-goals
Identity-matching services bill 2019, House of Representatives (2019) (testimony of Parliament of Australia & Home Affairs). https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6387
Kodjo, T. (2018, November). Digital financial inclusion – ITU PP-18 – Plenipotentiary Conference. ITU Plenipotentiary Conference 2018 (PP-18). https://www.itu.int/web/pp-18/en/backgrounder/digital-financial-inclusion
Kraus, K., Kraus, N., & Shtepa, O. (2022). Practice of the implementation cyber security and financial inclusion at the micro-, macro- and global levels of the economy. VUZF Review, 7(2), 25–40. https://doi.org/10.38188/2534-9228.22.2.03
Laurent, M., & Bouzefrane, S. (Eds.). (2015). Digital identity management (pp. 1–45). Elsevier.
Lyons, K. (2022, May 25). Deal proposed by China would dramatically expand security influence in Pacific. The Guardian. https://www.theguardian.com/world/2022/may/26/deal-proposed-by-china-would-dramatically-expand-security-influence-in-pacific
Mandiant. (2021, December 6). Targeted attack lifecycle. Mandiant. https://www.mandiant.com/resources/insights/targeted-attack-lifecycle
Maurer , T., & Nelson, A. (2021, March). The global cyber threat to financial systems – IMF F&D. IMF. https://www.imf.org/external/pubs/ft/fandd/2021/03/global-cyber-threat-to-financial-systems-maurer.htm
Nanda, K., & Kaur, M. (2016). Financial inclusion and human development: A cross-country evidence. Management and Labour Studies, 41(2), 127–153. https://doi.org/10.1177/0258042×16658734
Park, C.-Y., & Mercado, R. V., Jr. (2016). Does financial inclusion reduce poverty and income inequality in developing Asia? In S. Sasidaran & T. Kikuchi (Eds.), Financial Inclusion in Asia (pp. 61–92). Palgrave Macmillan UK. http://dx.doi.org/10.1057/978-1-137-58337-6_3
Roy, S. (2018, March 6). Aadhaar: India’s flawed biometric database. The Diplomat. https://thediplomat.com/2018/03/aadhaar-indias-flawed-biometric-database/
Scott, B. F. (2020). Red teaming financial crime risks in the banking sector. Journal of Financial Crime, 28(1), 98–111. https://doi.org/10.1108/jfc-06-2020-0118
Services Australia. (2022). myGov help – Link Centrelink to myGov using your Digital Identity. Services Australia. https://www.servicesaustralia.gov.au/mygov-help-link-centrelink-to-mygov-using-your-digital-identity
Singh, S. (2022, June 14). New Aadhaar data leak exposes 11 crore Indian farmers’ sensitive info. Zee News. https://zeenews.india.com/personal-finance/aadhaar-data-breach-over-110-crore-indian-farmers-aadhaar-card-data-compromised-2473666.html
Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021, House of Representatives (2021) (testimony of Home Affairs). https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6623
Telecommunications and other legislation amendment (assistance and access) bill 2018, House of Representatives (2018) (testimony of Parliament of Australia & Home Affairs). https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6195
The Transnational Institute. (2017, November 30). Understanding and challenging authoritarianism. Transnational Institute. https://www.tni.org/en/publication/understanding-and-challenging-authoritarianism
Tran, Q. N., Turnbull, B. P., & Hu, J. (2021). Biometrics and privacy-preservation: How do they evolve? IEEE Open Journal of the Computer Society, 2, 179–191. https://doi.org/10.1109/ojcs.2021.3068385
Tribune. (2021, November 26). NADRA data leak. Tribune. https://tribune.com.pk/story/2331199/nadra-data-leak
UN SDGS. (2015, September 25). Transforming our world: the 2030 Agenda for Sustainable Development. United Nations Department of Economic and Social Affairs. https://sdgs.un.org/2030agenda
United Nations Development Programme. (2022). Human development index. Human Development Reports. https://hdr.undp.org/data-center/human-development-index#/indicies/HDI
Venkat, A. (2022, August 30). Chinese cyber espionage campaign targeted Australia, South China Sea energy sector, says study. CSO Online. https://www.csoonline.com/article/3671908/chinese-cyber-espionage-campaign-targeted-australia-south-china-sea-energy-sector-says-study.html
World Bank Group. (2020, July 10). Types of ID systems. Identification for Development. https://id4d.worldbank.org/guide/types-id-systems
World Bank Group. (2021). ID4D & G2Px ANNUAL REPORT 2021. https://documents1.worldbank.org/curated/en/436051643089705385/pdf/Identification-for-Development-ID4D-and-Digitalizing-G2P-Payments-G2Px-2021-Annual-Report.pdf
World Bank Group. (2022, March 29). Overview. World Bank. https://www.worldbank.org/en/topic/financialinclusion/overview
Zheng, W. (2022, March 12). China plans digital version of national identification card later this year. South China Morning Post. https://www.scmp.com/news/china/politics/article/3170214/china-plans-digital-version-national-identification-card-later
